Your Vista Game Plan

Regardless of your personal or professional opinions of Windows Vista, you
know you'll be running it sooner or later. Uptake on new desktop operating systems
tends to be slow, with just over 50 percent of enterprise desktops running them
in the first five years, according to industry analyst firm Forrester Research
Inc. Most may choose to upgrade gradually, in line with new client hardware,
while some may wait until the next planned upgrade cycle.

In Vista's case, there may be good reasons to accelerate adoption, rather than
waiting for the next scheduled upgrade cycle. Security and integrity are two
of the most prominent reasons. Enterprises that are at a significant risk, given
the value of their applications or data, may be attracted to its ability to
provide better safeguards. Vista's higher levels of integrity are also likely
to make it more resistant to attack.

Still, there are doubters. Forrester security analyst Natalie Lambert says
that the security features are a boon for consumers. While helpful in the enterprise,
they will still be supported by third-party products. "Enterprises will
still use virus checkers and spam blockers to supplement Vista," she explained.
"The new security features have to be weighed against the cost of upgraded
hardware. For many, it makes sense to move to Vista with the next hardware upgrade,
not sooner."

So when does it make sense to upgrade? Vista will almost certainly be the mainstream
OS within a few years. Is it worth the hardware and administrative costs to
achieve higher levels of security or integrity, or should migration occur on
the same schedule as previous OS upgrades?

The Keys to Lockdown
Microsoft has undertaken a formidable task trying to secure Vista. Security
is not achievable in an absolute sense, and you don't achieve added security
without cost. That cost is typically measured in the quality of the user experience.
Microsoft's ambitious -- some would say unrealistic -- goal is to improve both
security and user experience.

Microsoft has also labored under legacy burdens that aren't easily swept aside.
Those burdens include the sizeable Windows code base itself. The company builds
new Windows versions from the source of the current one. While large parts are
modified or replaced entirely with every new release, starting from scratch
would mean throwing away a lot of perfectly good technology.

Another legacy burden is applications, both those produced by Microsoft and
those from third-party developers. There are thousands of applications out there
whose required permissions level is above that of users, or is unknown altogether.
Prohibiting these applications from executing would greatly slow Vista adoption,
because users would stay with the OS where their applications ran.

That's not the end of it. An unknown number of custom enterprise applications
were written in the same fashion, requiring administrator rights to the local
machine to execute. Some enterprises fixed their applications when they went
to a locked-down environment over the security issues of the past several years.
Others still have many applications that have to run, at least some of the time,
in a more privileged mode.

With Vista, Microsoft attempted to build an OS that eases users, administrators
and developers into thinking about security in a different way. No one at Microsoft
would declare that Vista is 100 percent bulletproof, but it's no exaggeration
to say that Vista is the most secure Windows OS to date. But is it secure enough
for you to deploy on hundreds or thousands of desktops?

What Microsoft Does for Enterprises
Windows Vista is the first OS Microsoft has built under the laws laid down by
its Security Development Lifecycle (SDL), which were defined several years ago
during the intense security training conducted after the release of Windows
XP. According to Stephen Toulouse, senior product manager for Microsoft's Trustworthy
Computing Group, the SDL consists of processes encompassing security engineering,
reviews by security experts and protection within the OS itself.

The first phase of this lifecycle involves designing features and implementing
code more resistant to attack. Toulouse describes a process whereby each proposed
feature was scrutinized for its security implications prior to being included
as a requirement. "If a feature required a port to always remain open,
or for a high level of access to be maintained, it would get a lot of pushback,"
he explained. "It might have to be implemented in a different way, or not
at all."

The second phase of the security lifecycle is review and testing by industry
security experts. A part of this effort, called BlueHat, involves turning over
working code to experts for analysis and exploitation, as well as follow-on
meetings between those experts and Microsoft developers. In addition to providing
a significant test for the OS code, it also provides an interaction between
Microsoft OS engineers and security experts that almost invariably results in
better code in the future.

Last, Microsoft incorporates security features that make the OS more difficult
to hack and exploit. Features like User Account Control (UAC) and user notifications
of unusual activities make Vista more resistant, but not impenetrable. The goal
is not to provide a fully hack-proof system, but to buy time for other mechanisms
to identify and turn away an attack.

Windows Defender, Windows Firewall and an overhauled Security Center make a
difference here. Windows Defender helps protect against and remove spyware,
adware, root kits, bots, keystroke loggers, control utilities and some other
forms of malware. The Windows Firewall includes both inbound and outbound filtering,
protecting users by restricting OS resources if they behave in unexpected ways.

While
the Security Center has been around since Windows XP SP2, Microsoft has made
improvements, including showing the status of anti-spyware software, Internet
Explorer security settings and UAC. The Vista Security Center can monitor security
solutions from third-party vendors running on a PC and indicate which are enabled
and up-to-date.

Before shipping, Vista also underwent final security reviews, peer reviews
and testing via automated attacks. Automated attacks typically involve code
written to emulate actual attacks from the wild, to determine the ability of
the OS to repulse them or at least slow them down.

Patches and Promises
One of the accepted practices in OSes in recent years has been the concept of
the security patch. Hackers, researchers or even vendors themselves identify
vulnerabilities. The OS vendor, such as Microsoft, Apple or Red Hat, then analyzes
the vulnerability and prepares one or more patches.

Much has been made of the fact that Vista has had fewer security patches in
its first 90 days of availability than comparable OSes from Apple or Red Hat.
While this appears to be a reasonable standard for a new OS, Microsoft disingenuously
included the time before general availability when the OS was only available
to enterprises and MSDN subscribers.

Forrester analyst Jen Albornoz Mulligan notes that the ranking is very different
when only critical flaws are considered. Her conclusion is that there are too
many variables to consider. For those on the front lines, however, the question
for now is: What does it take to keep the machines up-to-date on patches? The
jury is still out on that question, but Windows Vista looks much more promising
than previous versions of Windows.

Ironically, at press time there were news reports of a Vista vulnerability
surrounding .ANI files. According to those reports, .ANI files are used to change
the cursor into an hourglass while a program works, or into a cursor animation
on Web sites. The vulnerability was allowing hackers to break into computers
and install malicious software. Because of a rapidly increasing number of reported
exploits, Microsoft released the patch for this vulnerability early.

There is also security from a physical breach. Many of us have received notification
of a lost or stolen computer containing data on our identity, credit, or buying
habits, and were outraged that the data was not better protected. Here's where
BitLocker, Vista's full volume encryption, comes into play. BitLocker uses hardware-enabled
protection to prevent unauthorized users from accessing data by breaking Windows
file and system protections.

BitLocker incorporates centralized storage and management of encryption keys
in Active Directory, and lets IT administrators store encryption keys and restore
passwords onto a USB key or to a separate file for backup. The encryption system
also enables system recovery in the field, providing a means for users to enter
the restore password and restore their own systems.

The Price of Privilege
There has been a dichotomy between application developers and their users that
has become significant over the past several years. Many enterprise developers
have absolute access to their systems, but they tend not to consider whether
or not their users do. In some cases, they raise privileges because a given
operation won't work unless the process has a high set of privileges.

Developers tend to be philosophical about security issues. At a recent Visual
Studio developer conference, Sam Restead, a senior software engineer for a large
insurance provider, shrugged and said, "I care about security and don't
intentionally write bad code. But the hackers move so fast that no one can keep
up with all the emerging techniques to break into systems."

Not surprisingly, both perception and bandwidth have led to the lack of motivation
by developers in addressing security more rigorously in their applications.
That said, developers don't intentionally write insecure code and are keenly
interested in making sure that an application isn't the cause of a security
breach. The real problem is that there are just too many other things for developers
to do at the same time.

Vista will help most developers write more secure code. It does so, in part,
through the use of UAC. The UAC separates standard user privileges and activities
from those that require administrator access. It changes the definition of a
standard user by including many basic functions that pose no security risk but
that previously required administrative privileges.

Many applications require local machine administrator privileges, so users
can end up with administrative access, invoked only when installing software
or executing an application that requires admin rights. Vista displays a dialog
box requesting the local administrator password, which the user must enter in
order to complete the activity.

If the enterprise locks down desktop systems, UAC can also help there. Admins
have the option of configuring a policy setting that prevents users from encountering
the access dialog, in order to prevent administrative actions entirely.

Alternatively, UAC lets IT admins give desktop users administrative rights,
but normal operations occur using lower privileges. If an application requires
admin rights to continue, it will prompt the user for an OK.

UAC helps users better understand how their system is being used by applications.
After an initial training period, users will come to know the normal behavior
patterns of their applications, enabling them to question unusual or unexplained
requests to upgrade system privileges.

And over time, UAC will help developers. Because those operations requiring
admin privileges are right out there in the open, any inadvertent upgrade in
privileges will become apparent during unit and functional testing.

Microsoft's Toulouse admits that UAC got a bad reputation during early community
releases of Vista. "We had the right idea," he explains, "but
we failed to consider usability. Since that early feedback we've made significant
strides in usability, and believe we have a system that makes more sense to
Vista users."

One unyielding principle is that users are still informed whenever an application
attempts to do something out of the ordinary. This means that many computer
users will be seeing more messages concerning application privileges than they
have in the past. To those who install software on their own systems, the dialog
will be a constant reminder of the Vista security strategy.

The upshot is that users will have to better understand the security implications
of their activities. This may cause confusion unless users are trained in their
security responsibilities. In many enterprises such training is problematic,
as users generally receive only the training they need to perform their job
activities -- and sometimes not even that.

According to BeyondTrust CEO John Moyer, this will be a problem in enterprises.
"Users are focused on their jobs, not on the security messages that pop
up on their screens," he claims. UAC has the potential to cause confusion
for users and increased workload for administrators. It's not going away, though,
so sooner or later developers will have to make their applications run in more
secure environments and users will have to understand what to do when the UAC
dialog box appears.

You can get your hands on most, if not all, of these and other less significant
security features from third parties to use with Windows XP. BeyondTrust, for
example, provides a way to manage user privileges in the IT shop, rather than
on the user's desktop. Adding third-party point solutions does mean a more complex
configuration for installed systems, the need for better management of software
licensing and upgrades, greater costs and perhaps a greater potential for system
conflicts.

Building a More Secure Enterprise
Advocates for one OS over another tend to get viscerally involved in their opinions
on security and usability. The debate among client OSes in enterprises tends
to settle around what version of Windows is best, rather than non-Windows alternatives.
If an enterprise is at risk, either by making regular and common use of high-value
or highly sensitive data, or by losing significant business if systems are taken
offline by attacks, then Vista can help immediately.

There seems to be little question that security is improved with Windows Vista.
Toulouse calls Vista the "best possible baseline for the broadest set of
users." While there's nothing particularly revolutionary about its features,
it's useful to have them aggregated into a single product and used in consistent
ways.

For enterprises, this means that "install and go" is no longer a
reasonable strategy for running a Windows OS. System administrators, application
developers and even end users have to take increasing responsibility in an environment
where known exploits are combined with valuable data to provide ample opportunities
for security violations.

The tradeoff required for better security is greater involvement by users,
administrators and developers in the security process. In deciding whether or
not to accelerate a migration to Vista for security purposes, managers have
to first perform a classic risk analysis. If your clients access data of significant
value to the organization, or your infrastructure has vulnerabilities that put
clients at greater risk of intrusion, then the additional security features
of Vista should be high on your priority list.

But -- and it's a big but -- that means both your staff and users have to get
more involved in security. Users have to understand and take action based on
security messages sent by the OS. Vista will tell them a great deal about the
security state of their desktop, but only if they speak the same language.

Administrators have to make sure that desktops are configured with the applications,
policies and security settings required by users to perform their jobs. Blasting
all desktops with a single image and pushing blanket policies probably won't
cut it if you want to move to Vista today. Using features such as UAC, policies
and the Security Center, administrators have to configure the OS to the precise
security parameters needed to ensure protection of data and systems. Admins
will be on the front lines of helping users understand their new security responsibilities.

Last, developers can no longer assume that users are local machine admins.
Relying on Vista privilege elevation for applications to work will be confusing
to users and show a lack of OS understanding by developers. While it may not
be possible to get rid of privilege elevation entirely, developers have to build
and test with the same security settings as their users.

With a commitment from these three constituencies, Windows Vista will help
an enterprise at risk be measurably more secure. But there's also a word of
caution: Without that commitment, along with training in security policies and
implementation, the equation falls apart, likely resulting in greater confusion
and lost productivity.

There's no going back. All parts of the enterprise will have to have greater
involvement in information security in the future. Vista represents an important
first step in that direction.